Requirements for Transfers Abroad
The DPA prohibits a transfer of personal data abroad if it could seriously endanger the personality rights of the data subjects. Such a danger can exist if the personal data are transferred to a country whose legislation does not provide for an adequate protection of personal data.
EU and EEA member states are considered to provide the required adequate level of data protection for data pertaining to individuals. As the EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), does not provide such protection for data pertaining to legal entities, EU and EEA members States are not necessarily considered to provide an adequate level of data protection for the data pertaining to legal entities.
For non-EU and EEA countries, it is necessary to check on a case-by-case basis whether they provide an adequate level of data protection. For example, neither US federal law nor the laws of any US state are considered to provide an adequate level of data protection. Although the Swiss-US Privacy Shield is still legally valid, the Federal Data Protection and Information Commissioner has stated that importing US companies that have certified under the Swiss-US Privacy Shield are no longer presumed to provide adequate protection. In consequence, cross-border transfers to the US need to rely on other safeguards such as standard contractual clauses. Where necessary, standard contractual clauses should be supplemented and technical measures implemented (see here for further information).
Unless the laws of a country to which the personal data is transferred provide for an adequate level of protection for the personal data to be transferred, the disclosure may only be made if one of the exceptions provided for in the DPA applies. These exceptions are:
1. there are sufficient safeguards (for example contractual clauses in a transborder data transfer agreement) to ensure an adequate level of protection for data transferred outside Switzerland;
2. the data subject has, in the specific case, consented to the transfer of the relevant data outside Switzerland;
3. the data processing is directly connected with the conclusion or performance of a contract and the personal data relates to a contractual party;
4. the transfer of data is necessary in the specific case, either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before courts;
5. disclosure is required in a specific case in order to protect the life or the physical integrity of the data subject;
6. the data subject has made the relevant data generally accessible and has not expressly prohibited processing of the data; or
7. disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.
With necessary amendments required in order to comply with Swiss law, the model agreement of the Council of Europe or the model contracts for the transfer of personal data to third countries of the European Commission may be used in order to provide sufficient safeguards as mentioned in paragraph (1) above. Depending on a case-by-case risk analysis, however, the EU model clauses may not be sufficient to provide the required protection. In this case, additional clauses or technical measures may be required (see here for further information).
In addition, in the case of the exceptions mentioned in paragraphs (1) and (7) above, the Federal Data Protection and Information Commissioner must be informed of the safeguards or rules used. The Federal Data Protection and Information Commissioner must be informed before the first transfer of data is made or, if this is not possible, immediately after the disclosure has occurred.
The intentional failure to inform the Federal Data and Information Commissioner of the safeguards or rules, in the case of the exceptions mentioned under (1) and (7) above, is punished by a fine of up to CHF 10,000. If the fine is not paid, it can be replaced by imprisonment of up to 3 months. The same applies if the information provided is intentionally inaccurate or incomplete.
A transfer of personal data back to Switzerland is not an issue under Swiss data protection law, but the processing of personal data in Switzerland must comply with the rules detailed above.